What is the dns-persist-01 record, and why should it be on your radar?

What is the DNS-Persist-01 record, and why should it be on your radar?

The direction of travel is now well established: every component of the certificate process is being shortened.

• Publicly trusted certificates: eventually 47 days maximum.
• DCV (Domain Control Validation): reducing to roughly 10 days.
• OV / SII (organisation-validated data) reuse: reduced over the same period. It changes later and less aggressively than DCV, but it does change; it is not fixed at 366 days.

The DCV reduction is the operational sting. From March 2029, your organisation will, in effect, need to re-prove roughly every ten days that the certificate requester is authorised for the domain. Even organisations that automate issuance well ahead of 2029 will find a ten-day DCV cycle awkward to sustain.

This is the problem DNS-Persist-01 is designed to address. It is a new ACME challenge type, currently an IETF working draft (draft-ietf-acme-dns-persist, adopted by the ACME working group in October 2025 not yet a finished RFC). The regulatory path is already clear: CA/Browser Forum ballot SC-088v3 passed in October 2025, and Let's Encrypt has committed to implementing during 2026. Rather than a fresh challenge on every issuance, you publish a single persistent DNS TXT record, at the _validation-persist label, authorising a specific CA bound to a specific ACME account to issue for that domain for as long as the record remains in place.

The opportunity is obvious: no need to re-validate DCV every ten days.

The risk is equally important, and it is a governance one. A standing authorisation is only as sound as the record that underpins it. If something goes wrong with your certificate authority, your keys, or the underlying protocols, the responsibility to react by removing the DNS record now sits with you. A persistent authorisation creates a persistent obligation: a defined, maintained process to monitor certificate-component risk.

This is precisely the kind of control that needs to be designed in deliberately rather than assumed. McCormickCo Security helps organisations weigh mechanisms like DNS-Persist-01 against their own risk appetite and assurance requirements, and put the monitoring around them that makes them safe to rely on.

Contact McCormickCo Security

McCormickCo Security supports organisations in turning asset and endpoint data into meaningful assurance, strengthening submissions, supporting outcomes, and ultimately contributing to the safe and resilient delivery of services.

Contact | McCormickCo Security — Our team can provide further detail on the technical architecture, assurance mapping, and NHS-aligned delivery approach, and support organisations in assessing how this integration can be safely and effectively implemented within their environment.

‍

‍